From owner-freebsd-questions@FreeBSD.ORG Mon Nov 5 20:56:04 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DA5816A46E for ; Mon, 5 Nov 2007 20:56:04 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.184]) by mx1.freebsd.org (Postfix) with ESMTP id 2249513C4BF for ; Mon, 5 Nov 2007 20:56:04 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so1434954rvb for ; Mon, 05 Nov 2007 12:55:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=G6/o5t+oGR9eR4MyPq99vFkLJ7c/vTRZs42zYaIagI8=; b=GxOoeBAB+EJhF987S/OL6pxDtMK2NAD253NfvhO5r8CZlgybcFSzTFz+IE+vG0fNSO+phlHeISJSArz0UkBJW0vQJJck78LpgV3ghakESg1xkKz49WSgF9siUf4Yrh7xxb1QALWLAa9cQkQuObJGwRbv6a7PLqtgXRgy0IRHseo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=RmDuzOfnNwwzs7zFVRn0wcRluXQnVF6XiyQc4ll4dZeVK2qaheU0VCU6ljqDGYso892Sfc45SHXOLFTpMJUvUP9pXLt+xanp8kvoq3KUF8n5NeBJzAqQjt9AIispGZr8+VhduHFG+9XMYL8tpxj9qGdfatV9tFy6b5oJrqQkFBE= Received: by 10.141.162.16 with SMTP id p16mr2412590rvo.1194296156517; Mon, 05 Nov 2007 12:55:56 -0800 (PST) Received: by 10.141.142.18 with HTTP; Mon, 5 Nov 2007 12:55:56 -0800 (PST) Message-ID: <54db43990711051255q62f9f2edue02c05589cebea63@mail.gmail.com> Date: Mon, 5 Nov 2007 15:55:56 -0500 From: "Bob Johnson" To: "Aryeh M. Friedman" In-Reply-To: <472ED17A.7050001@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <472ED17A.7050001@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipv6 confusion X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Nov 2007 20:56:04 -0000 On 11/5/07, Aryeh M. Friedman wrote: > I want to set my machine up to be on both IPv4 and IPv6. I have read > the stuff on 6over4 and such and still a little confused on a few things: > > 1. The machine I want to do the tunneling on is behind a NAT'ed firewall > how do I reliabelly obtain the external IP of the firewall (dhcp > assigned from cable company)? Probably the easiest method is to go to a web site that tells you what IP you are coming from, e.g. http://www.go6.net (just below the top banner). Or if you log in to your firewall it will be able to tell you its external IP number. > > 2. If the machine I want to do the tunneling with is the DMZ host for > the above FW do I need to add anything special to the FW's routing tables? 6to4 tunneling uses IP protocol type 41, so you need to tell your FW to permit protocol 41 traffic. TCP, UDP, ICMP, etc. are all different protocol types, so the syntax used to allow TCP traffic might work if you use "41" instead of "TCP". You may also need a way to tell your firewall to route all protocol 41 traffic to your IPv6 gateway system so it can receive all of your incoming IPv6 traffic. > > 3. I am a little confused on how to pick the other end of the tunnel and > how do I configure it once the first 2 items are solved?... The > confusion comes from how is an arbitary (by me [with in the restrictions > in stf(4)]) selected IPv6 IP supposed to be routable when IPv4 forces > me to use the one assigned to me by my upstream router? Pick the tunnel with the least delay! The other restrictions only mean that if you have more than one IPv6 system on your local network, they must have unique IPv6 addresses. At least, I think that's what they mean. This is the part of IPv6 over IPv4 that I haven't directly experimented with yet, so I can tell you what I think I understand, not what I've proven I understand, but here it is: You will run stf(4) on only one system on your LAN. That system becomes your gateway to the IPv6 world. Other systems on your LAN get other IPv6 addresses, all with the same initial 48 bits (I.E. they all use the same IPv4 address to construct their IPv6 address, but the rest of the address has to be different for each system in your LAN). Outside systems will send traffic for your LAN to the gateway system (the one running stf) and it will forward it accordingly. You will need to tell the stf system that it is supposed to perform that role, which for FreeBSD I think is accomplished by adding rtadvd_enable="YES" to /etc/rc.conf. You may (or may not) find it informative to read rtadvd(8). On all the other systems in your LAN, you just need to enable IPv6, and they will talk to rtadvd and configure themselves appropriately. At least, that's my understanding. So far I have not used stf -- instead I have used tunneling via the gw6c client and Freenet6 (i.e. http://www.go6.net). First install the net/gateway6 port. Edit /usr/local/etc/gw6c.conf and change the appropriate parts for an anonymous connection (the comments explain them - in fact that may be the default). Also set gw6c.conf so your system will be a router if you have other IPv6 systems on your LAN. Then run gw6c and it will set up the tunnel, and run rtadvd for you if appropriate. That should be all you have to do. Again, this is needed only on your gateway system, so all the other systems on your network need only have IPv6 enabled. It should also be obvious that both of these methods completely bypass your existing IPv4 firewall, so every system on your LAN will have unfirewalled exposure to the Internet, unless you run an IPv6 firewall as well. One advantage of using gw6c is that it can build a tunnel over protocol 41, over TCP, or over UDP. So if your firewall prevents you from getting a 6to4/stf tunnel working, try gw6c. I also found it easier to set up than figuring out what I needed to make stf work, but I'm about to set up an stf system so I can directly compare the two. If you like the gw6c method, go to http://www.go6.net and register for a free account. Then edit gw6c.conf with your account info and other appropriate changes, and restart it. You will be issued a permanent IPv6 address tied to your account, so that if your external IPv4 address changes your IPv6 addresses do not change. - Bob